Roger Fingas
1Password makers AgileBits have promised to change one of the default file formats in the software in response to a blog post by Microsoft engineer Dale Myers, who revealed that an AgileKeychain file was displaying unencrypted metadata.
Associated with the software's 1PasswordAnywhere service — which allows remote access without having 1Password installed — the file contains the name and address of every stored item, which could potentially reveal large swaths of personal information such as visited sites, bank accounts, and purchased apps, Myers said. Worse, keychains hosted on websites are indexed by Google, which could make it easy to learn someone's personal details through an informed Web search.
In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012, but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.
The company is already transitioning to making OPVault the default format, starting with the latest 1Password for Windows beta. Mac and iOS upgrades should happen "soon," AgileBits said, and the technology is eventually coming to Android. Only once all these changes happen will migration become automatic.
In the meantime, the company is offering instructions on how to use OPVault where possible. People who only use the 1Password iOS app, for instance, can choose to sync via iCloud.
Charles Martin
Malcolm Owen
William Gallagher
Christine McKee
Wesley Hilliard
Andrew Orr
49 Comments
WTF.
This is ridiculous. All trust lost.
Seriously. As a security-related company you need to have one guiding principal be highest priority: keep information secure. If you sacrifice that for anything else, you're dead in the water.
So what. The keys might be visible on some old files - this app is about securing the value behind the keys. But it is a "splendid" idea from a M$ employee to brag about such informations without contacting the software maker first. It means that displaying his find was more important than the security of the few remaining users that uses winsux mobile. Perhaps should 1password simply pull that app from M$ store.
Didn't use the Anywhere service, but this is a bit concerning; 1Password is a crucial application for me and many others, and if anyone had access to that data they could do major damage. I'm not going to reactively crucify them for issues with a legacy format for a service that I didn't use, but they need to make a good response to this, and quickly.
WTF.
This is ridiculous. All trust lost.
According to Wikipedia, Apple is the exact same. Guess it's Windows for you.
https://en.wikipedia.org/wiki/Keychain_(software)
Apple's documentation supports this
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/keychainServConcepts.pdf
I've been seriously considering 1Password's service to better manage passwords. Apple's method has a lot to be desired.
I'll keep an eye on it, but I'm holding off for now.
It's absurd that a security company even remotely considered (at one time) having unencrypted data. Just ridiculous. They burned the trust for a lot of people.
What's your take on this Solips? I know you're a big fan of the service.